Results 1 to 6 of 6

Thread: strange log entry from Cisco PIX

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Posts
    372

    strange log entry from Cisco PIX

    Ok I have one of my PIX boxes dropping logs to a Symantec SIM box which we are doing an eval on.

    While scanning through what the SIM presented to me I came across the following log entry which is a bit of a head scratcher:

    IP address 0.1.0.4 has directed a denial of service exploit event at 0.1.0.4.


    I did some quick googling on that IP address and found RFC 3330, and a few references to people seeing this exact same IP. One of them was in a snort log, the other "big" hit was from someone seeing this IP assigned to a Logitech webcam.

    Anyone seen this before? Any ideas what it could be about?

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    Its most likely the webcam as its the address assigned to the Microsoft TV/Video interface when installing a logitech camera.

  3. #3
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    well I thought along those lines too, but this is the outside interface that picked it up, not my internal interface. Only happened once, and was listed by the SIM as a "One-Shot DoS".

    So how is my ouside interface picking up a non routable IP? Is it just spoofed and someone flubbed up the attack address too?

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    It is either completely spoofed or your SIM didn't properly decode the log entry. I have seen alot of SIMs that base the outside and inside based on IP addresses, which it would appear that subnet would be external.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    I would like to hear the results of your eval. Have you looked at the Cisco MARS box?

  6. #6
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    It could be off a site to site vpn or maybe even a remote access one........non routeable IP addy's can be 'routed' in an IPsec tunnel........

    It's probably not that but thought I would mention it anyways!

    Infact thinking of it....thats the only way a not routable IP can reach it, unless the Outside interface is on a [routed] perimeter subnet and not directly connected to the outside world......

    This can be confusing in the logs and running config as 'internal' IP's show up on the outside interface.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •